Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX-PIX VPN

Just checking if anyone knows a way of connecting two sites that use the same subnet by VPN. Is it possible using just the two PIX firewalls?

Any help is appreciated.

Thanks

5 REPLIES
New Member

Re: PIX-PIX VPN

Thanks for the reply. I had a look at the other topic, however the commands discussed are IOS router commands. Both of the PIX firewalls in my case are connected directly to Wireless broadband links and therefore there are no routers or other hardware at all between the two firewalls.

Regards

Derek

Re: PIX-PIX VPN

Hi Derek,

Yes, you can, but only with NAT.

On each subnet you perform a NAT to one (Public) IP, and you do the VPNs between those IPs.

In this case though, the stations from the different LANs will not see each other as in the same subnet.

PIX1:

nat 15 (inside) 10.0.0.0 255.255.255.0

global 15 (outside) IP-Public-1 netmask 255.255.255.255

access-list Crypto-Map permit ip host IP-Public-1 host IP-Public-2

PIX2:

nat 15 (inside) 10.0.0.0 255.255.255.0

global 15 (outside) IP-Public-2 netmask 255.255.255.255

access-list Crypto-Map permit ip host IP-Public-2 host IP-Public-1

So the VPN is between IP-Public-1 and IP-Public-2.

Please rate if this helped.

Regards,

Daniel

Hall of Fame Super Blue

Re: PIX-PIX VPN

Daniel

I'm confused about this answer. If a host behind pix1 wants to talk to a host behind pix2 then how does it do that. If it talks to 10.0.0.x address it will just arp out locally. If it talks to the public ip address of pix2 then when it gets to pix2 how does that firewall know which 10.0.0.x address it is intended for ?

Surely what you would need to do is have a one to one mapping at each end ie. if pix1 clients need to talk to 10.0.0.5 & 10.0.0.6 at pix2 site then you need to present those addresses internally into pix site as different IP's which can then be translated back to their original addresses at the other end.

What am i missing ?

Re: PIX-PIX VPN

Yup, my mistake there.

One end (LAN 1), the one that will receive the connections (servers) will need to have static mapping, ie:

static (inside,outside) IP1-Global IP1-Local netmask 255.255.255.255

static (inside,outside) IP2-Global IP2-Local netmask 255.255.255.255

.....................................................................

So, the other end (LAN 2) will access the hosts on with IP1-Global, IP2-Global..... BUT LAN1 will not be able to initiate connections with LAN 2.

The VPN will be between LAN1-Public IP and IP1-Global, IP2-Global and so on.

Please rate if this helped.

Regards,

Daniel

115
Views
0
Helpful
5
Replies